File:!zEAU1AQL!oWJ63n-D6lCuCQ4AY0Cv_405hX8kn7MEsa1iLH5UjKU Passphrase: `CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN` Complaints/cits: to `jvn` @ `` Browsable dir: - **COTTONAXE** - **STOICSURGEON** - **INCISION** - **ITIME** - *dffff - **ELDESTMYDLE** - **SUAVEEYEFUL** - **WATCHER** - **YELLOWSPIRIT** # Misc - **FUCK YEAH - (HIDELIGHT)** unhide **NOPEN** window to run unix oracle db scripts - **DUL** shellcode packer - **egg_timer** execution delayer (equivalent to `at`) - **ewok** [snmpwalk]( - **gr** Web crontab manager? wtf. NSA are webscale dude - **jackladderhelper** simple port binder - **magicjack** [DES]( implementation in Perl - **ri** equivalent to `rpcinfo` - **uX_local** Micro X server, likely for remote management # Remote Code Execution ## Solaris - **EVENLESSON** - [Exploit]( for OpenSSL 0.9.6d x86 and earlier - **CATFLAP** Solaris 7/8/9 (SPARC and Intel) RCE (for a [__LOT__]( ) of versions) - **EASYSTREET**/ - **EBBISLAND**/**ELVISCICADA**/**snmpXdmid** and **frown**: `CVE-2001-0236`, Solaris 2.6-2.9 - snmpXdmid Buffer Overflow - **sneer**: *mibissa* (Sun snmpd) RCE, with *DWARF* symbols :D - **dtspcdx_sparc** dtspcd RCE for SunOS 5. -5.8. what a useless exploit - **TOOLTALK** DEC, IRIX, or Sol2.6 or earlier Tooltalk buffer overflow RCE - **VIOLENTSPIRIT** RCE for ttsession daemon in CDE on Solaris 2.6-2.9 on SPARC and x86 ## Netscape Server - **xp_ns-httpd** NetScape Server RCE - **nsent** RCE for NetScape Enterprise server 4.1 for Solaris - **eggbasket** RCE for Netscape Enterprise/3.6 & 3.6 SP1, solaris 2.6-2.9 ## FTP servers - **EE** proftpd 1.2.8 RCE, for RHL 7.3+/Linux, `CVE-2011-4130`? another reason not to use proftpd - **wuftpd** likely `CVE-2001-0550` ## Web - **ESMARKCONANT** exploits phpBB vulnerability (<[2.0.11]( `CVE-2005-2086` - **ELIDESKEW** Public known vulnerablity in [SquirrelMail]( versions 1.4.0 - 1.4.7: likely `CVE-2006-4019` - **ELITEHAMMER** Runs against RedFlag Webmail 4, yields user `nobody` - **ENVISIONCOLLISION** ~~RCE for phpBB (derivative)~~ Installs a hook on IP.Board to gain RCE - **EPICHERO** RCE for [Avaya Media Server]( - **ELEGANTEAGLE** RCE in cPanel via **toffeehammer** - **EXCELBERWICK** RCE against xmlrpc.php on Unix platforms (Probably [CVE-2005-1921]( ## Misc - **calserver** spooler RPC based RCE - **EARLYSHOVEL** RCE RHL7 using sendmail - **ECHOWRECKER**/**sambal**: samba 2.2 and 3.0.2a - 3.0.12-5 RCE (with *DWARF* symbols), for FreeBSD, OpenBSD 3.1, OpenBSD 3.2 (with a non-executable stack, zomg), and Linux. Likely `CVE-2003-0201`. There is also a Solaris version - **ELECTRICSLIDE** RCE (heap-overflow) in [Squid](, with a chinese-looking vector - **EMBERSNOUT** a remote exploit against Red Hat 9.0's httpd-2.0.40-21 - **EMPTYBOWL** RCE for MailCenter Gateway (mcgate) - an application that comes with Asia Info Message Center mailserver; buffer overflow allows a string passed to popen() call to be controlled by an attacker; arbitraty cmd execute known to work only for AIMC Version - **ENGAGENAUGHTY**/**apache-ssl-linux** Apache2 mod-ssl RCE (2008), SSLv2 - **ERRGENTLE** - [RCE binary]( for Exim Mail Transfer Agent version 3.22-3.35 - **ENTERSEED** Postfix RCE, for 2.0.8-2.1.5 - **ERRGENTLE**/**xp-exim-3-remote-linux** Exim remote root, likely `CVE-2001-0690`, Exim 3.22-3.35 - **EXPOSITTRAG** exploit pcnfsd version 2.x - **extinctspinash**: `Chili!Soft ASP` stuff RCE? and *Cobalt RaQ* too? - **EYEMASK** - IMAP masquerade - **KWIKEMART** (**km** binary) RCE for SSH1 padding crc32 thingy ( - **EXPOSITTRAG**/**prout** (ab)use of `pcnfs` RPC program (version 2 only) (1999) - **SKIMCOUNTRY** Steal mobile phone log data - **SLYHERETIC_CHECKS** Check if a target is ready for **SLYHERETIC** (not included) - **slugger**: various printers RCE, looks like `CVE-1999-0078`looks - **statdx** Redhat Linux 6.0/6.1/6.2 rpc.statd remote root exploit (IA32) - **telex** Telnetd RCE for RHL ? `CVE-1999-0192`? - **toffeehammer** RCE for `cgiecho` part of `cgimail`, exploits fprintf - **VS-VIOLET** Solaris 2.6 - 2.9, something related to [XDMCP]( # Anti-forensic - **Auditcleaner** cleans up `audit.log` - **DIZZYTACHOMETER**: Alters RPM database when system file is changed so that RPM (>4.1) verify doesn't complain - **DUBMOAT** Manipulate utmp - **pcleans**: `pacctl` manipulator/cleaner - **scrubhands** post-op cleanup tool? - **toast**: `wtmps` editor/manipulator/querier # Control ## Iting HP-UX, Linux, SunOS - **FUNNELOUT**: database-based web-backdoor for `vbulletin` - **hi** UNIX bind shell - **jackpop** redirector/bind shell for SPARC - **NOPEN** Backdoor? A RAT or post-exploitation shell consisting of a client and a server that encrypts data using RC6 [source]( - **ORLEANSTRIDE** - **SAMPLEMAN / ROUTER TOUCH** Clearly hits Cisco via some sort of redirection via a tool on port 2323... (thanks to @cynicalsecurity) - **SECONDDATE** Implant for Linux/FreeBSD/Solaris/JunOS - **SHENTYSDELIGHT** Linux keylogger - **SIDETRACK** implant used for **PITCHIMPAIR** - **SIFT** Implant for Solaris/Linux/FreeBSD - **SLYHERETIC** SLYHERETIC is a light-weight implant for AIX 5.1:-5.2 Uses Hide-in-Plain-Sight techniques to provide stealth. - **STRIFEWORLD**: Network-monitoring for UNIX, needs to be launched as root. Strifeworld is a program that captures data transmitted as part of TCP connections and stores the data in a memory for analysis. Strifeworld reconstructs the actual data streams and stores each session in a file for later analysis. - **SUCTIONCHAR**: 32 or 64 bit OS, solaris sparc 8,9, Kernel level implant - transparent, sustained, or realtime interception of processes input/output vnode traffic, able to intercept ssh, telnet, rlogin, rsh, password, login, csh, su, … ## CnC - **Seconddate_CnC**: CnC for **SECONDDATE** - **ELECTRICSIDE** likely a big-fat-ass CnC - **NOCLIENT** Seems to be the CnC for **NOPEN*** - **DEWDROP** - **PORKSERVER** inetd-based server for the **PORK** implant # Privesc ## Linux - **h**: linux kernel privesc, old-day compiled `hatorihanzo.c`, do-brk() in 2.4.22 [CVE-2003-0961]( - **gsh**: `setreuid(0,0);execl("bash","/bin/bash")` - **PTRACE/FORKPTY**/**km3**: linux kernel lpe, kmod+ptrace, [CVE-2003-0127](, ( - **EXACTCHANGE**: NULL-deref based local-root, based on various sockets protocols, compiled in 2004, made public in 2009 - **ghost**:`statmon`/tooltalk pAquarivesc? - **ELGINGAMBLE**: LPE, takes advantage of an input validation error in the kernel (prctl core dump) to create a cron script that spawns root shell. Linux 2.6.13 - - **ESTOPFORBADE** local root `gds_inet_server` for, Cobalt Linux release 6.0, to be used with **complexpuzzle** - **ENVOYTOMATO** LPE through bluetooth stack(?) - **ESTOPMOONLIT** Linux LPE, using `binfmt_aout` module - **EPOXYRESIN** Linux LPE - **SM11X** - Linux LPE for RHEL7/7.1, SUSE 7.2 using sendmail 8.11-8.12.beta16 ## AIX - **EXCEEDSALON-AIX** privesc ## Others - **procsuid**: setuid perl (yes, it's a real thing) privesc through unsanitized environnement variables. wtf dude - **elatedmonkey**: cpanel privesc (0day) using `/usr/local/cpanel/3rdparty/mailman/`. Creates mailman mailing list: `mailman config_list` - **estesfox**: logwatch privesc, [old-day]( - **evolvingstrategy**: privesc, likely for Kaspersky Anti-virus (`/sbin/keepup2date` is kaspersky's stuff) (what is `ey_vrupdate`?) - **EVOKEPROMPT** (eh-privesc) Exploits Open WebMail 's `` script (above v2.10), requires valid session token - **escrowupgrade** cachefsd for solaris 2.6 2.7 sparc - **ENGLANDBOGY** local exploit Xorg X11R7 1.0.1, X11R7 1.0, X11R6 6.9, Includes the following distributions: MandrakeSoft Linux 10.2, Ubuntu 5.0.4, SuSE Linux 10.0, RedHat Fedora Core5, MandrakeSoft Linux 2006.0. requires a setuid Xorg - **endlessdonut**: Apache fastcgi privesc # Interesting stuff [- [default passwords list]( (courtesy of x0rz) ](https://) - []( ( (wow!)File:!zEAU1AQL!oWJ63n-D6lCuCQ4AY0Cv_405hX8kn7MEsa1iLH5UjKU9